New Report: Speed and Security Are Both Possible in Software Development - Part 2
August 20, 2020

Taylor Armerding
Synopsys

According to Forrester research, of 40 university computer science programs in the US, not one requires students to take secure coding or secure application design courses. That piece of the cyber skills gap means such training is often left up to individual teams.

Developers are not, and should not be expected to be, security experts.

Start with New Report: Speed and Security Are Both Possible in Software Development - Part 1

But to make DevSecOps more effective and address both the speed and security pressures, development and security teams need to understand each other better. For developers, that means understanding how applications can be exploited — the OWASP Top 10 is a good start.

ESG listed other elements of the most effective AppSec programs, several of which include better security awareness for developers. They include:

■ Application security best practices are formally documented.

■ Application security training is included as part of the ongoing development security training program.

■ Development managers are responsible for communicating best practices to developers.

■ A high percentage of developers participate in formal application security training programs.

■ Security issue introduction is tracked for individual development teams.

Then there is the technology piece, a major part of which is security testing tools.

Tools are crucial to finding design flaws, vulnerabilities in code and open source defects and licensing conflicts. Most organizations use multiple tools, but some of them have gone overboard — way overboard.

ESG reported more than a year ago that organizations on average run 25 to 49 security tools from up to 10 different vendors. There's an industry term for it — "tool sprawl." And it can slow productivity and lead to higher overall costs — the very things a good mix of security tools should help development teams avoid.

Analysts like Forrester and 451 Research have reported on tool sprawl in the past year, noting that as many as 40% of organizations admit that their development teams are so overwhelmed by security alerts that they can't respond to at least 25% of them. Indeed, when security alerts are so constant, they become background "noise" and are ignored — the exact opposite of the intent.

Survey respondents are aware of the problem. "Nearly one-third of organizations are … planning future investment to consolidate and simplify their tools proliferation," the report said.

So, clearly one part of the solution is DevOps integration — finding the right mix of tools that can work together and are easy for developers to use. ESG found that, for organizations seeking to improve the security of their software, "the most common challenge with their current tools is that their developers lack the knowledge to (mitigate identified security issues)."


The other part is automation. "Most believe that automating application security testing throughout the SDLC can make the biggest impact on the success of their program. DevOps integration reduces friction and shifts security further left, helping organizations identify security issues sooner," the report said.

The obvious goal is to build both security and speed into the SDLC. And based on the survey results, organizations are willing to invest to achieve that. More than half reported plans to "significantly increase spending on application security over the prior year."

Which means there is at least a chance that at some point in the future, the market will indeed get software-powered products that are the latest, greatest — and also the safest.

Taylor Armerding is Senior Security Strategist at Synopsys
Share this

Industry News

June 06, 2023

Appdome has integrated its platform with GitHub to build, scale, and deliver software.

June 06, 2023

DigiCert, announced a partnership with ReversingLabs to enhance software security by combining advanced binary analysis and threat detection from ReversingLabs with DigiCert's enterprise-grade secure code signing solution.

June 06, 2023

Semgrep announced that Semgrep Supply Chain is now free for all to use, up to a 10-contributor limit.

June 05, 2023

Checkmarx announced its new AI Query Builders and AI Guided Remediation to help development and AppSec teams more accurately discover and remediate application vulnerabilities.

June 05, 2023

Copado announced a technology partnership with nCino to provide financial institutions with proven tools for continuous integration, continuous delivery and automated testing of nCino features and functionality of the nCino cloud banking platform.

June 05, 2023

OpsMx announced extensions to OpsMx Intelligent Software Delivery (ISD) that make it a CI/CD solution designed for secure software delivery and deployment.

June 01, 2023

Couchbase announced a broad range of enhancements to its Database-as-a-Service Couchbase Capella™.

June 01, 2023

Remote.It release of Docker Network Jumpbox to enable zero trust container access for Remote.It users.

June 01, 2023

Platformatic launched a suite of new enterprise-grade products that can be self-hosted on-prem, in a private cloud, or on Platformatic’s managed cloud service:

May 31, 2023

Parasoft announced the release of C/C++test 2023.1 with complete support of MISRA C 2023 and MISRA C 2012 with Amendment 4.

May 31, 2023

Rezilion announced the release of its new Smart Fix feature in the Rezilion platform, which offers critical guidance so users can understand the most strategic, not just the most recent, upgrade to fix vulnerable components.

May 31, 2023

Zesty has partnered with skyPurple Cloud, the public cloud operations specialists for enterprises.

With Zesty, skyPurple Cloud's customers have already reduced their average monthly EC2 Linux On-Demand costs by 44% on AWS.

May 30, 2023

Red Hat announced Red Hat Trusted Software Supply Chain, a solution that enhances resilience to software supply chain vulnerabilities.

May 30, 2023

Mirantis announced Lens Control Center, to enable large businesses to centrally manage Lens Pro deployments by standardizing configurations, consolidating billing, and enabling control over outbound network connections for greater security.

May 25, 2023

Red Hat announced new capabilities for Red Hat OpenShift AI.